GitHub Cloud Integration
GitHub Cloud integration with Flyingduck allows you to display an inventory of repositories within the organization and identify misconfigurations. It also lists out inventory of libraries, identify associated vulnerabilities, and detect hard-coded sensitive information in the code for each commit that is performed. Additionally, you can perform Static Application Security Testing (SAST), which scans for security vulnerabilities in the source code.
This is an overview of integrating Flyingduck with your GitHub repositories. To connect GitHub and receive detailed insights at every commit, follow the steps below:
App Integration
Scan Configuration
Choose how you want Flyingduck to scan your GitHub repositories:
- Direct cloud access
- Self-hosted Runner
Select Cloud Mode if you want your code to be scanned directly in Flyingduck’s cloud platform.
In this mode, the repository code is accessed by Flyingduck to perform the scans, and the results are displayed securely in the Flyingduck dashboard.
With cloud mode you will get defualt PR scan feature. we will provide flyingduck's PR checks during the pull request. if we find any issues with the changes in your pr we fail the check and we provide the complete details of the issues. if any SCA found then we will show the cve's and the flyingduck recommended version for the entire package in order to fix all the vulnerabilities
Selecting Cloud Mode will take you to the PR Scan Configuration section. We provide the flexibility to choose whether to enable default PR scans or not. Based on your preference, select the appropriate option during setup.
If you enable PR scans for the entire organization, all integrated repositories will have PR scanning enabled by default. Otherwise, no repository will have PR scans enabled initially.
You can always modify the PR scan configuration later, even after integration. Additionally, it is possible to trigger PR scans only for specific repositories by selecting “Disable” during setup and configuring PR scan settings individually for each repository afterwards.
After selecting your preferred option, click Continue to proceed.
Integrate with GitHub
Integrate your Version Control System to manage and optimize issues efficiently.
Enter your GitHub organization name exactly as it appears on GitHub, then click Verify.
You will be redirected to GitHub. Click Configure.
Select the user, and choose the appropriate organization where you want to install the Flyingduck App.
Before proceeding with the installation, select the repositories you wish to integrate with Flyingduck. Then click Install to complete the setup. This will install the Flyingduck App in your organization for the selected repositories.
After successfully installing the app, a confirmation message saying "Organization integrated successfully" will appear in the portal.
If the message does not appear, there may have been an issue during the integration process. Please contact our support team at support@flyingduck.io for assistance.
Branch Configuration
Branches configuration allows you to manage and customize monitored GitHub branches for automated scanning.
You can configure branches into two main stages: Production and Release. Branches such as Release, Staging, or Testing can be included in the Release stage. All other branches will be considered feature branches by default.
This configuration allows you to prioritize important branches and gain better visibility into your development workflow. Flyingduck will scan the configured branches and track all unique issues found. With this setup, you can monitor how many issues are present at each stage and how many are resolved before reaching production.
You can configure continuous scanning for your repositories in two ways:
- Enable for all branches – scans all branches continuously.
- Scan for active branches – scans only the branches you specify.
Select the option that best fits your workflow, then click Continue. After saving, a confirmation message saying "Branches saved successfully" will appear.
Jira Integration (Optional)
Flyingduck can be integrated with Jira to streamline issue tracking by automatically creating and linking issues discovered during scans to your Jira project boards. This ensures efficient management and resolution of vulnerabilities.
Setup Steps:
- Enter your Jira domain (e.g.,
https://your-org.atlassian.net
). - Enter the email ID associated with your Jira API token.
- Enter your Jira API token.
- Click Test Authentication to verify the connection, or Skip to configure it later.
Once successfully authenticated, Flyingduck will seamlessly link detected issues to your Jira boards, allowing you to monitor, prioritize, and resolve them directly within Jira.
CI/CD Workflow Integration (Optional)
Flyingduck can be integrated into your CI/CD pipelines to automatically scan code during pipeline execution. This ensures that security issues are detected early in the development process, preventing potential vulnerabilities from reaching production.
Setup Instructions:
- Add the Flyingduck scanner to your CI/CD configuration file.
- Configure the scanner to run before your build step.
- Optionally, set the scanner to fail the build if any security issues are detected.
Once configured, Flyingduck continuously monitors your code during pipeline execution, helping teams maintain secure and reliable development workflows.
Runner App Integration
Scan Configuration
Choose how you want Flyingduck to scan your GitHub repositories:
- Direct cloud access
- Self-hosted Runner
choose Runner Mode if you prefer to set up a dedicated VM and execute the scans within your own environment.
Runner mode gives you the flexibility to choose how Flyingduck scans your GitHub repositories. You can launch a VM on either a public cloud or on-premise infrastructure and configure it as a dedicated runner. This enables unlimited on-demand or scheduled scans or continuous automated scans, optimizes pipeline efficiency, and offers significant cost savings.
Select your preferred environment for runner deployment—AWS, Azure, or your own local VM.
Select VM Environment
Runner Mode: AWS Setup
To configure your self-hosted Flyingduck runner using AWS, follow these steps:
1. Retrieve Your API Key
Your runner requires an API key for configuration.
- Copy the displayed API key from the "Your API Key" section.
- Use the copy button for convenience.
2. Launch Self-Hosted Runner for AWS
Set up the necessary IAM role and infrastructure using AWS CloudFormation:
- Click the "Launch Stack" button to automatically open the AWS Console and create the Flyingduck role ARN.
- Once the stack is launched, AWS will generate a new role ARN for the runner.
3. Add Flyingduck Role ARN
- Pass the created ARN in the input field provided.
This authenticates your AWS environment for Flyingduck runner operations.
4. Continue Setup
- Click Continue to proceed to the next step.
- If you need to revise, use the Back button.
Tip:
Ensure your AWS account has permissions to launch CloudFormation stacks and create IAM roles.
Integrate with GitHub
Integrate your Version Control System to manage and optimize issues efficiently.
Enter your GitHub organization name exactly as it appears on GitHub, then click Verify.
You will be redirected to GitHub. Click Configure.
Select the user, and choose the appropriate organization where you want to install the Flyingduck App.
Before proceeding with the installation, select the repositories you wish to integrate with Flyingduck. Then click Install to complete the setup. This will install the Flyingduck App in your organization for the selected repositories.
After successfully installing the app, a confirmation message saying "Organization integrated successfully" will appear in the portal.
If the message does not appear, there may have been an issue during the integration process. Please contact our support team at support@flyingduck.io for assistance.
Branch Configuration
Branches configuration allows you to manage and customize monitored GitHub branches for automated scanning.
You can configure branches into two main stages: Production and Release. Branches such as Release, Staging, or Testing can be included in the Release stage. All other branches will be considered feature branches by default.
This configuration allows you to prioritize important branches and gain better visibility into your development workflow. Flyingduck will scan the configured branches and track all unique issues found. With this setup, you can monitor how many issues are present at each stage and how many are resolved before reaching production.
You can configure continuous scanning for your repositories in two ways:
- Enable for all branches – scans all branches continuously.
- Scan for active branches – scans only the branches you specify.
Select the option that best fits your workflow, then click Continue. After saving, a confirmation message saying "Branches saved successfully" will appear.
Jira Integration (Optional)
Flyingduck can be integrated with Jira to streamline issue tracking by automatically creating and linking issues discovered during scans to your Jira project boards. This ensures efficient management and resolution of vulnerabilities.
Setup Steps:
- Enter your Jira domain (e.g.,
https://your-org.atlassian.net
). - Enter the email ID associated with your Jira API token.
- Enter your Jira API token.
- Click Test Authentication to verify the connection, or Skip to configure it later.
Once successfully authenticated, Flyingduck will seamlessly link detected issues to your Jira boards, allowing you to monitor, prioritize, and resolve them directly within Jira.
CI/CD Workflow Integration (Optional)
Flyingduck can be integrated into your CI/CD pipelines to automatically scan code during pipeline execution. This ensures that security issues are detected early in the development process, preventing potential vulnerabilities from reaching production.
Setup Instructions:
- Add the Flyingduck scanner to your CI/CD configuration file.
- Configure the scanner to run before your build step.
- Optionally, set the scanner to fail the build if any security issues are detected.
Once configured, Flyingduck continuously monitors your code during pipeline execution, helping teams maintain secure and reliable development workflows.
App Integration (Express)
Integrate with GitHub
Click on App Integration (Express) card in the integration menu.
Click on Connect GitHub, You will be redirected to GitHub.
Select the user, and choose the appropriate organization where you want to install the Flyingduck App.
Before proceeding with the installation. Then click Install to complete the setup. This will install the Flyingduck App in your organization for the selected repositories.
After installing the app, select your desired repositories. Click Next button.
A confirmation message saying 'Organization integrated successfully' will then appear in the portal.
If the message does not appear, there may have been an issue during the integration process. Please contact our support team at support@flyingduck.io for assistance.
Jira Integration (Optional)
Flyingduck can be integrated with Jira to streamline issue tracking by automatically creating and linking issues discovered during scans to your Jira project boards. This ensures efficient management and resolution of vulnerabilities.
Setup Steps:
- Enter your Jira domain (e.g.,
https://your-org.atlassian.net
). - Enter the email ID associated with your Jira API token.
- Enter your Jira API token.
- Click Test Authentication to verify the connection, or Skip to configure it later.
Once successfully authenticated, Flyingduck will seamlessly link detected issues to your Jira boards, allowing you to monitor, prioritize, and resolve them directly within Jira.
CI/CD Workflow Integration (Optional)
Flyingduck can be integrated into your CI/CD pipelines to automatically scan code during pipeline execution. This ensures that security issues are detected early in the development process, preventing potential vulnerabilities from reaching production.
Setup Instructions:
- Add the Flyingduck scanner to your CI/CD configuration file.
- Configure the scanner to run before your build step.
- Optionally, set the scanner to fail the build if any security issues are detected.
Once configured, Flyingduck continuously monitors your code during pipeline execution, helping teams maintain secure and reliable development workflows.
CLI Integration
This integration provides a simple way to scan your codebase without doing any UI configuration.
Steps to Integrate:
-
Copy Your Flyingduck API Key:
Retrieve your API key from the Flyingduck portal. This is essential for authentication during scanning. -
Clone Your Repository:
Open your terminal and run:git clone <your-repository-url>
Navigate into the cloned repository directory:
cd <your-repo-folder>
-
Run the Docker Command:
Execute the following command to start the scan:docker run -e FD_API_KEY=<your-api-key> -v ${PWD}:/src --entrypoint /bin/bash flyingduckio/duckdefender:latest -c "duckdefender code --all"
Replace
<your-api-key>
with the actual API key copied earlier. -
View Scan Results:
The HEAD commit of the repository is scanned. Results, including potential security issues, will be displayed directly in the Flyingduck portal dashboard.
For advanced configurations and additional flags, visit the Flyingduck CLI documentation (opens in a new tab).
This streamlined guide aims to get you scanning quickly with Flyingduck, leveraging Docker and your API key for effortless security integration.
Workflow Integration
Integrate Flyingduck seamlessly into your CI/CD pipelines to automate security scanning and ensure vulnerabilities are caught early.
Flyingduck scans your code on every commit, pull request, or build event within your existing CI/CD workflows.
Before committing any changes, there is an additional step to take, which involves adding the API key to the repository.
API Key configuration
Navigate to the GitHub repository (GitHub → GitHub Organization → GitHub Repository) and click on Settings of the repository.
In the left navigation page under Security, click on Secrets and variables then click on Actions.
Click on New repository secret.
Enter the secret name as FD_API_KEY
and paste the created API key
in the Secret box. This ensures that the authentication from GitHub to FlyingDuck is established for the repository. This step must be completed for all repositories selected for scanning.
Yaml file Configuration
- The integration requires minimal setup; simply add the Flyingduck scan step in your existing workflow script or create a new yamlfile
duckdefender.yaml
with the below content or you can download from the portal:
env:
docker_tag: flyingduckio/duckdefender:latest
name: DuckDefender
on:
push:
branches:
- "main"
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
# Download image from Docker Hub
- name: Download latest DuckDefender
run: docker pull "${{ env.docker_tag }}"
# Run DuckDefender
- name: Run DuckDefender
env:
FD_API_KEY: ${{ secrets.FD_API_KEY }}
GITHUB_TOKEN: ${{ github.token }}
GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
GITHUB_REPOSITORY_OWNER_ID: ${{ github.repository_owner_id }}
GITHUB_REPOSITORY: ${{ github.repository }}
GITHUB_REPOSITORY_ID: ${{ github.repository_id }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_ACTOR: ${{ github.actor }}
GITHUB_ACTOR_ID: ${{ github.actor_id }}
GITHUB_HEAD_REF: ${{ github.head_ref }}
GITHUB_BASE_REF: ${{ github.base_ref }}
GITHUB_REF: ${{ github.ref }}
GITHUB_SHA: ${{ github.sha }}
WORKSPACE_PATH: /src
LOG_LEVEL: debug
run: |
docker run --pull=always -e GITHUB_REPOSITORY_OWNER="$GITHUB_REPOSITORY_OWNER" \
-e GITHUB_REPOSITORY_OWNER_ID="$GITHUB_REPOSITORY_OWNER_ID" \
-e GITHUB_REPOSITORY="$GITHUB_REPOSITORY" \
-e GITHUB_REPOSITORY_ID="$GITHUB_REPOSITORY_ID" \
-e GITHUB_EVENT_NAME="$GITHUB_EVENT_NAME" \
-e GITHUB_ACTOR="$GITHUB_ACTOR" \
-e GITHUB_ACTOR_ID="$GITHUB_ACTOR_ID" \
-e FD_API_KEY="$FD_API_KEY" \
-e GITHUB_TOKEN="$GITHUB_TOKEN" \
-e GITHUB_HEAD_REF="$GITHUB_HEAD_REF" \
-e GITHUB_BASE_REF="$GITHUB_BASE_REF" \
-e GITHUB_REF="$GITHUB_REF" \
-e GITHUB_SHA="$GITHUB_SHA" \
-e WORKSPACE_PATH="$WORKSPACE_PATH" \
-e LOG_LEVEL="$LOG_LEVEL" \
-v "${{ github.workspace }}":/src "${{ env.docker_tag }}"
Custom Branch
If you wish to commit changes to a custom branch like feature/* or bug/* and review the findings specific to that branch, include the branch name in the duckdefender.yml file.
# Triggers the workflow on push events but only for the all the critical branches
on:
push:
branches: [ "master", "main", "release", "develop" , "feature/*" , "bug/*" ]
After adding the YAML file and configuring the API key, commit the changes. Depending on the branch you've committed to, if it's included in the YAML file, a code scan will be conducted and the data will be sent to the FlyingDuck portal for viewing.
repeat the same procedure to the other repositories
- Results and detected issues are surfaced in the Flyingduck portal, enabling quick review and remediation.
Benefits:
- Continuous security checks without slowing down development.
- Detects vulnerabilities before code merges or deployment.
- Works with popular CI/CD tools such as GitHub Actions.
Click Continue after setting up to proceed with monitoring your pipeline scans in the portal.